Dear Readers,

Privacy is one of the key policy issues of our time. The shift to a digital economy has brought about fundamental changes to the nature of modern commerce. Many of the most valuable services used by citizens worldwide are free at the point of consumption. Search, social media, messaging, and various forms of online content are available to users for no up-front monetary charge. Instead, companies monetize such services through other means, typically by selling advertising. 

This renders the consumer’s quid-pro-quo (or the “price” they pay) not to be counted in Euros, dollars, or cents, but in terms of their attention (or “eyeballs” in marketing jargon). Companies increasingly rely on data concerning user behavior and preferences in order to better target the advertisements that generate their revenue.

This shift raises legal challenges. Antitrust, in particular, has long been governed by the implicit motto that price competition is the central nervous system of the economy. When price is no longer quantifiable in currency terms, the application of established principles becomes challenging. Other concerns relating to breaches of privacy have led to different legislative developments, including notably the European Union’s General Data Protection Regulation. That law became a template for similar legislation around the world, including in jurisdictions as diverse as Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina, and Kenya. As of 2022, even the United Kingdom retains the law in identical form despite no longer being an EU member state. The California Consumer Privacy Act (“CCPA”), adopted in June 2018, follows a similar schema.

The pieces in this Chronicle address various aspects of the regulation of privacy and personal data in the modern digital economy, including how this nascent (and rapidly evolving) field can and should interact with other domains of economic law (notably antitrust).

Kirk J. Nahra provides an overview of  U.S. privacy law in its current state of flux. In the absence of legislation at the Federal level, the piece projects the development of an array of new “comprehensive” state laws, creating some new privacy protections while imposing compliance challenges on industry. As the article outlines, privacy regulation is undergoing constant change at this moment in time, creating a range of challenges and opportunities for regulators, legislators and private entities. 

Melanie Drayton & Brent Homan outline the work of the Digital Citizen and Consumer Working Group (“DCCWG”), an international body under the auspices of the Global Privacy Agency. The DCCWG is focused on considering the interactions between privacy, consumer protection and competition bodies. The article explores some of the key learnings of the DCCWG over the past 5 years. Ultimately, the DCCWG view is that collaboration between competition agencies and privacy agencies is imperative to achieve coherent regulation of the digital economy.

Dr. Paul Voigt & Daniel Tolks outline the framework of the proposed EU Data Governance Act (“DGA”). The DGA is intended to create conditions to enable a European single market for data, notably by strengtheing trust in key players and to boost cross-sector data sharing. Naturally, the topics addressed by the DGA are therefore diverse, and include the re-use of data held by public sector bodies, data intermediation services, data altruism, and the creation of a European Data Innovation Board. This article provides a useful primer for any reader seeking to track the evolution of European data regulation.

Anne C. Witt outlines the issues at stake in Case C-252/21 Facebook Inc. and Others v. Bundeskartellamt. The key question facing the German Courts is the extent to which competition agencies should be allowed to consider the legality of certain conduct under the GDPR when applying competition rules. The piece argues that in the age of data-based business models, it is unhelpful to look at competition and privacy issues in isolation. Judicious regulation of digital platforms requires an interdisciplinary and interinstitutional approach. 

Ben Rossen explores the options open to the U.S. FTC to regulate privacy in the absence of Federal legislation covering the field. The FTC is widely expected to commence a rulemaking process to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” The paper addresses some of the reasons why FTC rulemaking may be a poor substitute for federal legislation (and potentially an inefficient allocation of limited agency resources).

Finally, Melissa J. Krasnow outlines the implications of the FTC’s Final Rule regarding Standards for Safeguarding Customer Information. The article also highlights differences between the FTC Rule and the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies. Financial institutions to which the FTC Rule applies must assess the extent to which their information security programs satisfy the those requirements. By contrast, others to which the FTC Rule does not apply also may choose to assess where their programs, policies, and practices, among other things, stand in light of evolving federal and state law.

In sum, this Chronicle provides a fascinating snapshot of the current state of privacy regulation worldwide. As the pieces should make evident, the implications of growing privacy concerns will have numerous impacts on different aspects of economic regulation, including notably the enforcement of the antitrust rules.

As always, many thanks to our great panel of authors.

Sincerely,

CPI Team

Click here for the full TechREG® Chronicle.